Hi,
Thank you for your reply. I spent a couple of hours on this today with not much luck. Please find my replies below.
Than check what is blocking port 25. Is it your Debian firewall or your VPS provider.There is no VPS provider firewall. The one I can use is disabled. I asked support if there were any firewall beyond mine and their answer is no. I should get full access to any port I may need.On the VPS, iptables is set to ACCEPT in every way, INPUT, OUTPUT and FORWARD. I added explicit ACCEPT rules for testing but did not get better results.
But everything looks good now, all ports are publicly reachable. I did send you a test mail and your sever accepted it. (In plaintext but still.)
I also gave http://www.antispam-ufrj.pads.ufrj.br/test-relay.html a shot. It reached your server. It couldn't do it the last time.
Still, I can reach port 587 in addition do 143 but no 25 nor 465 and 993.
I can reach all, except for 465. But that is ok because according to your smtpd.conf the server isn't listening on it.
Here is my smtpd.conf:pki mail.ivanroth.fr cert "/etc/letsencrypt/live/mail.ivanroth.fr/fullchain.pem" pki mail.ivanroth.fr key "/etc/letsencrypt/live/mail.ivanroth.fr/privkey.pem"filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*', '.*\.dsl\..*' } junkfilter check_rdns phase connect match !rdns junk filter check_fcrdns phase connect match !fcrdns junkfilter senderscore proc-exec "filter-senderscore -junkBelow 70 -slowFactor 5000"filter rspamd proc-exec "filter-rspamd" table aliases file:/etc/aliases listen on 0.0.0.0 tls pki mail.ivanroth.fr \ filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }listen on 0.0.0.0 port submission tls-require pki mail.ivanroth.fr auth filter rspamd
Your sever greets the world with 220 ivanroth.fr ESMTP OpenSMTPDwhich is the wrong hostname, which leads to "opportunistic TLS failed, downgrading to plain". Try forcing the right hostname:
listen on 0.0.0.0 hostname mail.ivanroth.fr tls pki mail.ivanroth.fr \
filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }
listen on 0.0.0.0 port submission tls-require \
hostname mail.ivanroth.fr pki mail.ivanroth.fr auth \
filter rspamd
#listen on ens3 tls pki mail.ivanroth.fr filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd } #listen on ens3 port submission tls-require pki mail.ivanroth.fr auth filter rspamdaction "local_mail" maildir junk alias <aliases> action "outbound" relay helo mail.ivanroth.fr match from any for domain "ivanroth.fr" action "local_mail" match for local action "local_mail" match from any auth for any action "outbound" match for any action "outbound"
If I'm not mistaken, the last line is redundant. (Without a "from", "from local" is implied, which intern implies "auth". Which is covered by the line "from any auth" before it.)
$ nmap localhost Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-10 21:58 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.00028s latency). Other addresses for localhost (not scanned): ::1 Not shown: 993 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 143/tcp open imap 443/tcp open https 587/tcp open submission 993/tcp open imaps
Every port is reachable from the public now. (For me at least.) Only you can tell if you went overboard with opening up everything.
